commit pam for openSUSE:Factory

h_root Tue, 12 Nov 2013 07:37:33 -0800

Hello community,

here is the log from the commit of package pam for openSUSE:Factory checked in 
at 2013-11-12 16:36:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam (Old)
 and      /work/SRC/openSUSE:Factory/.pam.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "pam"

Changes:
--------
--- /work/SRC/openSUSE:Factory/pam/pam.changes  2013-09-29 17:50:46.000000000 
+0200
+++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes     2013-11-12 
16:36:45.000000000 +0100
@@ -1,0 +2,14 @@
+Tue Nov 12 13:08:44 CET 2013 - ku...@suse.de
+
+- Add encryption_method_nis.diff:
+  - implement pam_unix2 functionality to use another hash for
+    NIS passwords.
+
+-------------------------------------------------------------------
+Fri Nov  8 16:01:35 CET 2013 - ku...@suse.de
+
+- Add pam_unix.diff:
+  - fix if /etc/login.defs uses DES
+  - ask always for old password if a NIS password will be changed
+
+-------------------------------------------------------------------

New:
----
  encryption_method_nis.diff
  pam_unix.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.MemVTR/_old  2013-11-12 16:36:46.000000000 +0100
+++ /var/tmp/diff_new_pack.MemVTR/_new  2013-11-12 16:36:46.000000000 +0100
@@ -53,6 +53,8 @@
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         fix-man-links.dif
+Patch1:         pam_unix.diff
+Patch2:         encryption_method_nis.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -97,6 +99,8 @@
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 export CFLAGS="%optflags -DNDEBUG"

++++++ encryption_method_nis.diff ++++++
diff --git a/modules/pam_unix/pam_unix_passwd.c 
b/modules/pam_unix/pam_unix_passwd.c
index 0cfc0f4..2239206 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, 
const char **argv)
                 * rebuild the password database file.
                 */
 
+
+               /* if it is a NIS account, check for special hash algo */
+               if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 
1)) {
+                 /* preset encryption method with value from /etc/login.defs */
+                 int j;
+                 char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", 
LOGIN_DEFS);
+                 if (val) {
+                   for (j = 0; j < UNIX_CTRLS_; ++j) {
+                     if (unix_args[j].token && unix_args[j].is_hash_algo
+                         && !strncasecmp(val, unix_args[j].token, 
strlen(unix_args[j].token))) {
+                       break;
+                     }
+                   }
+                   if (j >= UNIX_CTRLS_) {
+                     pam_syslog(pamh, LOG_WARNING, "unrecognized 
ENCRYPT_METHOD_NIS value [%s]", val);
+                   } else {
+                     ctrl &= unix_args[j].mask;  /* for turning things off */
+                     ctrl |= unix_args[j].flag;  /* for turning things on  */
+                   }
+                   free (val);
+                 }
+               }
+
                /*
                 * First we encrypt the new password.
                 */
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 19d72e6..dafa9f0 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -37,8 +37,8 @@
 #define SELINUX_ENABLED 0
 #endif
 
-static char *
-search_key (const char *key, const char *filename)
+char *
+_unix_search_key (const char *key, const char *filename)
 {
   FILE *fp;
   char *buf = NULL;
@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, 
int *rounds,
        }
 
        /* preset encryption method with value from /etc/login.defs */
-       val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+       val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
        if (val) {
          for (j = 0; j < UNIX_CTRLS_; ++j) {
            if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, 
int *rounds,
 
          /* read number of rounds for crypt algo */
          if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, 
ctrl))) {
-           val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+           val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
 
            if (val) {
              *rounds = strtol(val, NULL, 10);
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 6f5b2eb..a35a8a8 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
 
 extern int _unix_run_verify_binary(pam_handle_t *pamh,
                        unsigned int ctrl, const char *user, int *daysleft);
+extern char *_unix_search_key(const char *key, const char *filename);
 #endif /* _PAM_UNIX_SUPPORT_H */
++++++ pam_unix.diff ++++++
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 6575938..6f5b2eb 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -97,8 +97,9 @@ typedef struct {
                                           password hash algorithms */
 #define UNIX_BLOWFISH_PASS       26    /* new password hashes will use 
blowfish */
 #define UNIX_MIN_PASS_LEN        27    /* min length for password */
+#define UNIX_DES                 28     /* DES, default */
 /* -------------- */
-#define UNIX_CTRLS_              28    /* number of ctrl arguments defined */
+#define UNIX_CTRLS_              29    /* number of ctrl arguments defined */
 
 #define UNIX_DES_CRYPT(ctrl)   
(off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
 
@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
 /* UNIX_ALGO_ROUNDS */     {"rounds=",         _ALL_ON_,          0100000000, 
0},
 /* UNIX_BLOWFISH_PASS */   {"blowfish",    _ALL_ON_^(0260420000), 0200000000, 
1},
 /* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,         0400000000, 
0},
+/* UNIX_DES */             {"des",             _ALL_ON_^(0260420000),      0, 
1},
 };
 
 #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
diff --git a/modules/pam_unix/pam_unix_passwd.c 
b/modules/pam_unix/pam_unix_passwd.c
index 9aae3b0..d5f2540 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -614,7 +614,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, 
const char **argv)
 
                if (_unix_blankpasswd(pamh, ctrl, user)) {
                        return PAM_SUCCESS;
-               } else if (off(UNIX__IAMROOT, ctrl)) {
+               } else if (off(UNIX__IAMROOT, ctrl) ||
+                          (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, 
user, 0, 1))) {
                        /* instruct user what is happening */
                        if (asprintf(&Announce, _("Changing password for %s."),
                                user) < 0) {
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

commit pam for openSUSE:Factory

Reply via email to